Pilot Configuration of multifactor authentication
MFA for the whole application
Note
Configuration in Shibboleth
In the file /etc/shibboleth/shibboleth2.xml (default for RHEL compatible systems) enter/expand the following areas:
Option 1: In the SSO element
<SSO entityID="https://login.rz.rwth-aachen.de/shibboleth" authnContextClassRef="https://refeds.org/profile/mfa"> SAML2 </SSO> |
For this purpose, the SSO element in <ApplicationDefaults> can be used, in which case it applies to all configured service providers (global setting) or it can be defined in an <ApplicationOverride> (in which case it applies to a specific service provider).
Option 2: In RequestMapper
Changes to the Path:
<RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="example.com"> <Path name="secure" authnContextClassRef="https://refeds.org/profile/mfa" authType="shibboleth" requireSession="true" /> </Host> </RequestMap> </RequestMapper> |
The deciding factor in this instance is authnContextClassRef.
Changes to host:
<RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="example.com" authnContextClassRef="https://refeds.org/profile/mfa" authType="shibboleth" requireSession="true"/> </RequestMap> </RequestMapper> |
Advanced MFA configuration
Should other conditions, such as certain attribute values, host names or addresses be checked as well, or should you even require case by case variation, those changes are made in Apache.
Configuration Apache version 2.4 or above:
AuthType shibboleth ShibRequestSetting requireSession true
<RequireAll> Require authnContextClassRef https://refeds.org/profile/mfa Require shib-session </RequireAll> |
Configuration Apache on versions below 2.4:
AuthType shibboleth ShibRequestSetting requireSession true ShibRequireAll on ShibCompatWith24 on
Require authnContextClassRef https://refeds.org/profile/mfa Require shib-session |
Example: Users within the RWTH network do not need MFA, everyone else does
Configuration Apache version 2.4 or above:
|
Step Up Authentication
When using Step Up authentification, you define an additional service provider in shibboleth2.xml. The service provider must be registered with RWTH Single Sign-On. To do this, please send an e-mail with the RFC ID and a link to the additional metadata to servicedesk@itc.rwth-aachen.de.
If MFA should only apply to certain areas of an application, the following must be configured for each path that is to be protected with MFA:
Configuration Shibboleth
Adjust in the file /etc/shibboleth/shibboleth2.xml:
In RequestMapper:
<RequestMapper type="Native"> <RequestMap> <Host name="example.com"> <Path name="stepup" applicationId="stepup2f" authnContextClassRef="https://refeds.org/profile/mfa" /> </Host> </RequestMap> </RequestMapper> |
ApplicatonOverride
<ApplicationOverride id="stepup2f" entityID="https://example.com/stepup2f/shibboleth2"> <Sessions lifetime="7200" timeout="900" checkAddress="false" handlerURL="/stepup/Shibboleth.sso" handlerSSL="true" cookieProps="https"> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" relayState="cookie" entityID="https://login.rz.rwth-aachen.de/shibboleth"> <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html" /> <SessionInitiator type="Shib1" acsIndex="5" forceAuthn="true"/> </SessionInitiator> </Sessions> </ApplicationOverride> |
Configuration Apache version 2.4 or above:
AuthType shibboleth ShibRequestSetting requireSession true ShibRequestSetting applicationId stepup2f
<RequireAll> Require authnContextClassRef https://refeds.org/profile/mfa Require shib-session </RequireAll> |
Configuration Apache for versions below 2.4
AuthType shibboleth ShibRequestSetting requireSession true ShibRequestSetting applicationId stepup2f ShibRequireAll on ShibCompatWith24 on
Require authnContextClassRef https://refeds.org/profile/mfa Require shib-session |
